Ace Your EC0-479 ECSA Exam

Make tow copies of each evidence item using a single imaging tool

Make a single copy of each evidence item using an approved imaging tool

Make two copies of each evidence item using different imaging tools

Only store the original evidence item

It traverses the file system and produces a listing of all files based on the modification, access and change timestamps

It can recover deleted file space and search it for datA. However, it does not allow the investigator t preview them

The tools scans for i-node information, which is used by other tools in the tool kit

It is tool specific to the MAC OS and forms a core component of the toolkit

A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum

Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file

A simple DOS copy will not include deleted files, file slack and other information

There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector